Twitter is worried about all the media company accounts being hacked, and has released some guidance. These aren’t exploits of Twitter itself, but of media companies, typically through phishing.

Twitter suggests that companies employ a pretty standard set of password security practices in response: changing current passwords, using new ones that are at least 20 characters long and are made up of either randomly-generated characters or random words, and to never email said passwords, even internally …

Given that email accounts are used to reset passwords, Twitter also suggests users change those passwords and implement two-factor authentication on their email accounts if available

Here is what I suggest on top of Twitter’s suggestions:

Use a dedicated email account for your Twitter account, and don’t make it public. Disable all Twitter email updates to that account, and rely on in-app notifications.

Use strong authentication for that email account, and limit access.

If you need to authorize a new app or employee for Twitter, change the Twitter account password to a new random password after every time you use it to authorize an app.

Check your app authorizations daily. You are a media company, and this is one of your biggest channels. I don’t make this recommendation for everyone, but if you are the AP you need to take super extra precautions.

Have an incident response process for suspicious tweets or account access, and make sure you pre-contact Twitter with the right contact info for those authorized to check on the account.

Again, if you are a big media company, use a designated device for tweeting that isn’t used for other things. Notice I said “device”. An iPad is great because you don’t need to worry about background malware.

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

Passwords and session tokens were reset to contain the problem. It is likely that personal information, including direct messages, were exposed. The post asks users to use strong passwords of at least 10 characters, and requests that they disable Java in the browser, which together provide a pretty fair indication of how the attacks were conducted. Disable Java in the browser – where have you heard that before? We will update this post as we learn more.

Update by Rich: Adrian and I both posted this within minutes. Here is my comment:

Also from the post:

This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.

Twitter has a hell of a good security team with some serious firepower, including Charlie Miller.

It won’t surprise any of you to learn that I don’t follow Fox News on Twitter. I know, I can see the shock in your eyes, but I’m not the biggest fan of our friends on the right. Actually, I hate all 24 hour news stations – Fox biased to the right, MSNBC to the left, and CNN to the stupid.

If you read this blog you probably know everything I’m about to write, but it’s probably a good time to review it anyway. If you use these services for business purposes, there are a few precautions to put in place:

If you use social media in your business, make sure you set up accounts (or use your personal accounts) to monitor your official account.

Be very cautious in how you handle your account credentials (who you give them to, how they are secured, etc.). The list of people with access should definitely be very short. Use an OAuth-based service or application to allow employees to tweet to your account without having to give them your account password. This is how most Twitter clients work today, for example.

If you are large enough, talk to your provider ahead of time to understand how to report problems, and who to report them to. The last thing you want to be doing is hanging out waiting for a help desk person to see your request in the queue. Make contact, get a name, and establish a validation process to prove you are the owner of the account in an incident. You’ll also use this process if an employee goes rogue.

I’ve been on Twitter for a few years now, and over that time I’ve watched not only its mass adoption, but also how people changed their communication habits. One of the most unexpected changes (for me) is how many people now use Twitter Direct Messages as instant messaging.

It’s actually a great feature – with IM someone needs to be online and using a synchronous client, but you can drop a DM anytime you want and, depending on their Twitter settings and apps, it can follow them across any device and multiple communications methods. DM is oddly a much more reliable way to track someone down, especially if they link Twitter with their mobile phone.

The problem is that all these messages are persistent, forever, in the Twitter database. And Twitter is now one of the big targets when someone tries to hack you (as we’ve seen in a bunch of recent grudge attacks).

I don’t really say anything over DM that could get me in trouble, but I also know that there’s probably plenty in there that, taken out of context, could look bad (as happened when a friend got hacked and some DMs were plastered all over the net).

Thus I suggest you delete all your DMs occasionally. This won’t necessarily clear them from all the Twitter apps you use, but does wipe them from the database (and the inboxes of whoever you sent them to).

This is tough to do manually, but, for now, there’s a tool to help. Damon Cortesi coded up DM Whacker, a bookmarklet you can use while logged into Twitter to wipe your DMs. Before I tell you how to use it, one big warning: this tool works by effectively performing a Cross-Site Request Forgery attack on yourself. I’ve scanned the code and it looks clean, but that could change at any point without warning, and I haven’t seriously programmed JavaScript for 10 years, so you really shouldn’t take my word on this one.

The process is easy enough, but you need to be in the “old” Twitter UI:

If you use the “new” Twitter UI, switch back to the “old” one in your settings.

Click the bookmarklet.

A box will appear in the upper-right of the Twitter page. Select what you want to delete (received and sent) or even filter by user.

Click the button, and leave the page running for a while. The process can take a bit, as it’s effectively poking the same buttons you would manually.

If you are really paranoid (like me) change your Twitter password. It’s good to rotate anyway.

And that’s it.

I do wish I could keep my conversation history for nostalgia’s sake, but I’d prefer to worry less about my account being compromised. Also, not everyone I communicate with over Twitter is as circumspect, and it’s only fair to protect their privacy as well.

I am no fan of “security through obscurity”. Peer review and open discourse on security have proven essential in development of network protocols and cryptographic algorithms. Regardless, that does not mean I choose to disclose everything. I may disclose protocols and approach, but certain details I choose to remit.

Case in point: if I were Twitter, and wanted to reduce account hijacking by ridding myself of weak passwords which can be easily guessed, I would not disclose my list of weak passwords to the user community. As noted by TechCrunch:

If you’re on Twitter, that means you registered an account with a password that isn’t terribly easy to guess. As you may know, Twitter prevents people from doing just that by indicating that certain passwords such as ‘password’ (cough cough) and ‘123456’ are too obvious to be picked. It just so happens that Twitter has hard-coded all banned passwords on the sign-up page. All you need to do to retrieve the full list of unwelcome passwords is take a look at the source code of that page. Do a simple search for ‘twttr.BANNED_PASSWORDS’ and voila, there they are, all 370 of them.

The common attack vector is to perform a dictionary attack on known accounts. A good dictionary is an important factor for success. It is much easier to create a good dictionary if you know for certain many common passwords will not be present. Making the list easy to discover makes it much easier for someone to tune their dictionary. I applaud Twitter for trying to improve passwords and thereby making them tougher to guess, but targeted attacks just got better as well. Because here’s a list of 370 passwords I don’t have to test.

This post doesn’t have a whole heck of a lot to do with security, but it’s a topic I suspect all of us think about from time to time.

With the continuing explosion of social media outlets, I’ve noticed myself (and most of you) bouncing around from app to app as we figure out which ones work best in which contexts, and which are even worth our time. The biggest challenge I’ve found is compartmentalization – which tools to use for which jobs, and how to manage my personal and professional online lives. Again, I think it’s something we all struggle with, but for those of us who use social media heavily as part of our jobs it’s probably a little more challenging.

Here’s my perspective as an industry analyst. I really believe I’d manage these differently if I were in a different line of work (or with a different analyst firm), so I won’t claim my approach is the right one for anyone else.

Blogs: As an analyst, I use the Securosis blog as my primary mechanism for publishing research. I also think it’s important to develop a relationship (platonic, of course) with readers, which is why I mix a little personal content and context in with the straighter security posts. For blogging I deliberately use an informal tone which I strip out of content that is later incorporated into research reports and such.

Our informal guidelines are that while not everything needs to be directly security related, over 90% of the content should be dedicated to our coverage areas. Of our research content, 80% should be focused on helping practitioners get their jobs done, with the remaining 20% split between news and more forward-looking thought leadership. We strive for a minimum of 1 post a day, with 3 “meaty” content posts each week, a handful of “drive-by” quick responses/news items a week, and our Friday summary. Yes, we really do think about this stuff that much.

I don’t currently have a personal blog outside of the site due to time, and (as we’ll get to) Twitter takes care of a lot of that. I also read a ton of other blogs, and try to comment and link to them as much as possible.

I also consider the blog the most powerful peer-review mechanism for our research on the face of the planet. It’s the best way to be open and transparent about what we do, while getting important feedback and perspectives we never could otherwise. As an analyst, it’s absolutely invaluable.

Podcasts: My primary podcast is co-hosting The Network Security Podcast with Martin McKeay. This isn’t a Securosis-specific thing, and I try not to drag too much of my work onto the show. Adrian and I plan on doing some more podcasts/webcasts, but those will be oriented towards specific topics and filling out our other content. Running a regular podcast is darn hard. I like the NetSecPodcast since it’s more informal and we get to talk about any off the wall topic (generally in the security realm) that comes to mind.

Twitter: After the blog, this is my single biggest outlet. I initially started using Twitter to communicate with a small community of friends and colleagues in the Mac and security communities, but as Twitter exploded I’ve had to change how I approach it. Initially I described Twitter as a water cooler where I could hang out and chat informally with friends, but with over 1200 followers (many of them PR, AR, and other marketing types) I’ve had to be a little more careful about what I say.

Generally, I’m still very informal on Twitter and fully mix in professional and personal content. I use it to share and interact with friends, highlight some content (but not too much, I hate people who use Twitter only to spam their blog posts), and push out my half-baked ideas. I’ve also found Twitter especially powerful to get instant feedback on things, or to rally people towards something interesting. I really enjoy being so informal on Twitter, and hope I don’t have to tighten things down any more because too many professional types are watching.

It’s my favorite way to participate in the wider online community, develop new collaboration, toss out random ideas, and just stay connected with the outside world as I hide in my home office day after day. The bad side is I’ve had to reduce using it to organize meeting up with people (too many random followers in any given area), and some PR types use it to spy on my personal life (not too many; some of them are also in the friends category, but it’s happened).

The @Securosis Twitter account is designed for the corporate “voice”, while the @rmogull account is my personal one. I tend to follow people I either know or who contribute positively to the community dialog. I only follow a few corporate accounts, and I can’t possibly follow everyone who follows me. I follow people who are interesting and I want to read, rather than using it as a mass-networking tool. With @rmogull there’s absolutely no split between my personal and professional lives; it’s for whatever I’m doing at the moment, but I’m always aware of who is watching.

LinkedIn: I keep going back and forth on how I use LinkedIn, and recently decided to use it as my main business networking tool. To keep the network under control I generally only accept invitations from people I’ve directly connected with at some point. I feel bad turning down all the random connections, but I see social networks as having power based on quality rather than quantity (that’s what groups are for). Thus I tend to turn down connections from people who randomly saw a presentation or listened to a podcast. It isn’t an ego thing; it’s that, for me, this is a tool to keep track of my professional network, and I’ve never been one of those business card collectors.

Facebook: Facebook is the toughest one of the bunch since it is a cross between Twitter, LinkedIn, Flickr, and so on. I very recently decided that Facebook is best for my friends and family, and thus I don’t link in professional contacts that aren’t also in that group. I like being able to keep in touch with people from back in high school, and the kinds of things they are interested in are very different than the people I meet in the security and Mac communities. Again, it isn’t an ego thing, but we all have different communities of people we interact with and I think it’s completely appropriate to have different outlets for each of them.

IM/Skype: This isn’t social networking per se, but I leave them running as much as I can. I think they’re great for private conversations.

MySpace, Photo Sites, and Other Outlets: I tend not to use too many other social media outlets – between the blog, Twitter, Facebook, podcasts, and LinkedIn I can connect with nearly anyone in some sort of appropriate context. I do use a photo sharing mechanism, but that’s very personal and I don’t make it public. I have a MySpace account, which I never use since Facebook is more prevalent with the people I know. I’m debating linking to others with TripIt, and may limit that tightly to people I might actually want to see when our travel overlaps. I feel like I’m missing something, but can’t think of what it is.

And that’s it. My personal perspective is that the power of my social networks is in quality and correct context over quantity. I try and pick the right tools for the right job and community. If I were to break it out, the blog is our newsletter and peer review for our research, Twitter is the water cooler, IM is sticking my head in someone’s office, LinkedIn is a rolodex and context/community Q&A mechanism, and Facebook is for keeping in touch with geographically dispersed friends and family. I also don’t believe in manipulating social media – I try to use it as honestly and openly as possible, rather than as a marketing tool. Yes, it probably builds my brand, but that’s not what I’m thinking about when I fake-live-tweet the latest Star Trek, call for feedback on my latest wacky research idea, or write uninteresting dribble like this post.

Update: Some additional information was just posted on the Twitter Blog. Along with some comments on how their soon to be Beta ‘0auth’ would not have prevented this attack, there is also some information on the extent of the scam. Seems that Barack Obama’s account was hacked along with a few others. Did this strike anyone else as odd: if Obama has not been twittering since being elected, does that mean a staffer logged in on his behalf?

An interesting note popped up on Twitter this morning about a Phishing attack through direct messages and direct email. The Phish is very well done and looks legit, so it will probably be effective. It is asking for you to provide access credentials to Twitter, but the domain is accesslogins.com. The WHOIS for Access-Logins shows it owned by XIN NET Technology Corp from Beijing, with all of the 126.com email accounts hosted from Netease.com. That’s a long way from San Francisco. Access-Logins is the home of a few dozen other Phishing sites, from McAfee to Defcon. Needless to say, don’t click on email links.

The real question on my mind is: once you have clicked onto the Phishing login page, will Twitter’s real reset password function be vulnerable to an XSS attack? I do not have a copy of the original email so I am unable to test. If you fall victim to this you will want to clear all of your private data from the browser and restart it before trying to reset your password. Or shut down your current browser and use the password reset from a different one- otherwise other passwords may be captured as well.